The Office for Civil Rights just announced a $ 3 million penalty against Touchstone Medical Imaging, partly because Touchstone “failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider as required by HIPAA.”

This is the first penalty that clearly states third-party data centers are Business Associates.